Skip to main content

Qunetswitch CVE-2026-22897

| EUVDEUVD-2026-13716 HIGH
OS Command Injection (CWE-78)
2026-03-20 qnap
8.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.4.0415
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2026-13716
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
HIGH 8.1

DescriptionCVE.org

A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later

AnalysisAI

Remote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitrary system commands over the network with no user interaction required. The vulnerability stems from improper input validation in command processing functions, enabling complete system compromise. No patch is currently available for affected versions.

Technical ContextAI

The vulnerability exists in QNAP QuNetSwitch (CPE: cpe:2.3:a:qnap_systems_inc.:qunetswitch:*:*:*:*:*:*:*:*), a network switch management application developed by QNAP Systems Inc. The root cause is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), which describes situations where user-supplied input is insufficiently sanitized before being passed to system command execution functions. The vulnerability likely exists in a web-based management interface or API endpoint where user input is directly incorporated into shell commands without proper escaping or validation, allowing an attacker to break out of the intended command context and inject arbitrary shell metacharacters and commands.

RemediationAI

Immediately upgrade QuNetSwitch to version 2.0.4.0415 or later as provided by QNAP in the official security advisory (https://www.qnap.com/en/security-advisory/qsa-26-11). If immediate patching is not possible, restrict network access to the QuNetSwitch management interface to trusted administrative networks only, disable remote access if not required, and implement network segmentation to isolate switch management traffic. Monitor access logs for suspicious command patterns or unusual administrative activity until patching can be completed.

Share

CVE-2026-22897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy